It can be unwise to make too much of reported and/or throwaway remarks, but I’m going to look at a recent reported, and possibly throwaway, remark by a senior manager from the Information Commissioner’s Office (ICO) at a recent Law Society conference on the General Data Protection Regulation (GDPR).

Giving “A perspective from the ICO” Richard Nevinson, Group Manager for Policy and Engagement, was reported by the Law Society Gazette to have said, on the subject of potential administrative fines under GDPR

If a breach warranted a fine of £30,000 under the Data Protection Act it probably warrants a similar fine under GDPR

This perhaps doesn’t at first blush sound that notable: the Commissioner herself – Elizabeth Denham – has been at pains, over the months leading up to GDPR coming into direct effect, to stress that, although the maximum fine will increase from £500,000 to €20m or 4% of annual global turnover (whichever is larger), such fines are not her focus:

Predictions of massive fines under the GDPR that simply scale up penalties we’ve issued under the Data Protection Act are nonsense

What Nevinson said though, goes further than anything I’ve seen so far from the ICO. Because, if what he is reported to have said is correct, it would mean that we should see no change in frequency or amount of fines, unless there is a contravention on an unprecedented scale. The highest fine levied under the existing Data Protection Act 1998 (DPA) has been £400,000 (twice – once to Talk Talk and once to Carphone Warehouse) – only 80% of the current maximum. This means that the ICO cannot feel that the current maximum sets a cap which frustrates them by preventing them from issuing higher fines. One would assume, therefore, that the ICO would (must?) see GDPR’s legislative intent as being to “scale up” fines in some way. But no – says Nevinson – £X under DPA will equate to £X under GDPR.

Following that line of argument, as we have never seen a fine of £500,000 under DPA we will not see one of that size (or higher) under GDPR, unless a contravention emerges that is worse than anything seen before.

I may be wildly over-analysing what he was reported to have said, but I thought it noteworthy enough to blog about it at 06:00 in the morning, so I thought you might too.

Oh, and Nevinson might not be right or might not have been accurately reported, and I definitely might not be right. So you’d be silly to pay too much attention, and you certainly shouldn’t forget about the risks that fines may represent under GDPR.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

The GDPR only talks about maximum fines, but the natural interpretation is that fining under the GDPR will be more stringent than under previous data protection legislation – although the change will vary significantly by country, since up to now EU countries have wildly different fining records.

Also, the ICO will no longer be able to take fining decisions which are totally independent. The consistency mechanism, supervised by the EPDB, is intended to create similar fines for equivalent infractions, regardless of country.

No doubt you’re right in practice, but in the spirit of over-analysing, it would of course be overstating the case to assume that a limit must have no effect if it is not reached, “£X…will equate to £X”. Even if the starting point for a particular penalty were taken to be the maximum, there would almost always be some legal mitigating factors that then reduce the amount finally imposed. By extension, there may in turn have been a moderating effect on any other fines near those that are near the £500,000 limit, though granted that seems much less likely to have rippled all the way down to penalties at the £30,000 level. Hence, perhaps, the wise but weasel word “probably” in Mr Nevinson’s speech.